Fix null pointer dereferencing

Add null check for return values of functions that are mostly (but not
always) checked for null.
E.g., since 98% of calls to protocol_stack_interface_info_get_by_id
check for null, it is likely that the function can return null values in
some cases, and omitting the check could crash the program.

Author: szsam

connectivity/FEATURE_BLE/libraries/cordio_stack/ble-host/sources/stack/att/att_eatt.c

@@ -267,7 +267,7 @@ static uint8_t eattL2cCocAcceptCback(dmConnId_t connId, uint8_t numChans)
 {
   eattConnCb_t *pCcb = eattGetConnCb(connId);
 
-  if ((pCcb->state == EATT_CONN_STATE_INITIATING) || (pCcb->state == EATT_CONN_STATE_RECONFIG))
+  if (!pCcb || (pCcb->state == EATT_CONN_STATE_INITIATING) || (pCcb->state == EATT_CONN_STATE_RECONFIG))
   {
     // Reject all requests while busy connecting and configuring channels
     return 0;
@@ -348,6 +348,10 @@ static void eattReqNextChannels(dmConnId_t connId)
   eattConnCb_t  *pConnCb = eattGetConnCb(connId);
   uint8_t       numChans = pEattCfg->numChans - EattGetNumChannelsInUse(connId);
 
+  if (!pConnCb) {
+    return;
+  }
+
   numChans = (numChans > L2C_MAX_EN_CHAN) ? L2C_MAX_EN_CHAN : numChans;
 
   EATT_TRACE_INFO1("eattReqNextChannels: numChans: %d", numChans);
@@ -783,7 +787,7 @@ static void eattDmCback(dmEvt_t *pDmEvt)
  *  \param  connId  DM channel ID.
  *  \param  slot    EATT slot.
  *
- *  \return None
+ *  \return L2CAP channel identifier.
  */
 /*************************************************************************************************/
 uint16_t eattGetCid(dmConnId_t connId, uint8_t slot)
@@ -795,6 +799,7 @@ uint16_t eattGetCid(dmConnId_t connId, uint8_t slot)
   else
   {
     eattConnCb_t *pCcb = eattGetConnCb(connId);
+    WSF_ASSERT(pCcb);
     return pCcb->pChanCb[slot-1].cid;
   }
 }

connectivity/FEATURE_BLE/source/generic/SecurityDb.cpp

@@ -63,10 +63,18 @@ void SecurityDb::get_entry_local_keys(
 
         /* set flags connected */
         SecurityDistributionFlags_t* flags = get_distribution_flags(correct_handle);
+        if (!flags) {
+            cb(*db_handle, NULL);
+            return;
+        }
         flags->connected = true;
 
         /* update peer address */
         SecurityDistributionFlags_t* old_flags = get_distribution_flags(*db_handle);
+        if (!old_flags) {
+            cb(*db_handle, NULL);
+            return;
+        }
         flags->peer_address = old_flags->peer_address;
         flags->peer_address_is_public = old_flags->peer_address_is_public;
 

connectivity/FEATURE_BLE/source/generic/SecurityManagerImpl.cpp

@@ -1661,6 +1661,9 @@ void SecurityManager::on_connected(
     cb->db_entry = _db->open_entry(peer_address_type, peer_address);
 
     SecurityDistributionFlags_t* flags = _db->get_distribution_flags(cb->db_entry);
+    if (!flags) {
+        return;
+    }
 
     flags->peer_address = peer_address;
     flags->peer_address_is_public =

connectivity/nanostack/coap-service/source/coap_connection_handler.c

@@ -480,7 +480,7 @@ static int secure_session_recvfrom(int8_t socket_id, unsigned char *buf, size_t
 {
     (void)len;
     internal_socket_t *sock = int_socket_find_by_socket_id(socket_id);
-    if (sock->data && sock->data_len > 0) {
+    if (sock && sock->data && sock->data_len > 0) {
         memcpy(buf, sock->data, sock->data_len);
         int l = sock->data_len;
         ns_dyn_mem_free(sock->data);

connectivity/nanostack/mbed-mesh-api/source/thread_tasklet.c

@@ -238,6 +238,9 @@ void thread_tasklet_poll_network_status(void *param)
         } else {
             memcpy(thread_tasklet_data_ptr->ip, temp_ipv6, 16);
             link_configuration_s *link_cfg = thread_management_configuration_get(thread_tasklet_data_ptr->nwk_if_id);
+            if (!link_cfg) {
+                return;
+            }
             if (memcmp(thread_tasklet_data_ptr->ip, link_cfg->mesh_local_ula_prefix, 8) == 0) {
                 thread_tasklet_network_state_changed(MESH_CONNECTED_LOCAL);
             } else {

connectivity/nanostack/sal-stack-nanostack/source/6LoWPAN/Thread/thread_bbr_api.c

@@ -682,6 +682,9 @@ static void thread_bbr_status_check(thread_bbr_t *this, uint32_t seconds)
     }
     // Check if network data as border router is possible or modified
     protocol_interface_info_entry_t *cur = protocol_stack_interface_info_get_by_id(this->interface_id);
+    if (!cur) {
+        return;
+    }
     this->br_hosted = thread_bbr_i_host_prefix(cur, bbr_prefix_ptr, &this->br_count, &br_lowest_host);
 
     if (!this->br_info_published && bbr_prefix_ptr && this->br_count == 0) {

connectivity/nanostack/sal-stack-nanostack/source/6LoWPAN/Thread/thread_bbr_commercial.c

@@ -545,6 +545,9 @@ static int thread_pbbr_bb_qry_cb(int8_t service_id, uint8_t source_address[16],
     // Test code for b/ba response override
     if (ba_response_status_count) {
         device_configuration_s *device_config = thread_joiner_application_get_device_config(this->interface_id);
+        if (!device_config) {
+            return -1;
+        }
         ml_eid_ptr = device_config->eui64;
         last_transaction_time = protocol_core_monotonic_time;
         ba_response_status_count--;
@@ -617,7 +620,7 @@ static int thread_pbbr_dua_duplicate_address_detection(int8_t service_id, uint8_
     protocol_interface_info_entry_t *cur = protocol_stack_interface_info_get_by_id(this->interface_id);
     duplicate_dua_tr_t *tr_ptr = thread_border_router_dup_tr_find(this->interface_id, addr_data_ptr);
 
-    if (!tr_ptr) {
+    if (!cur || !tr_ptr) {
         return -1;
     }
 

connectivity/nanostack/sal-stack-nanostack/source/6LoWPAN/Thread/thread_ccm.c

@@ -756,6 +756,11 @@ static int thread_ccm_reenroll_registrar_addr_resp_cb(int8_t service_id, uint8_t
         return -1;
     }
 
+    if (!cur) {
+        tr_debug("Protocol stack interface info get failed");
+        return -1;
+    }
+
     if (!thread_meshcop_tlv_find(response_ptr->payload_ptr, response_ptr->payload_len, MESHCOP_TLV_REGISTRAR_IPV6_ADDRESS, &addr_ptr)) {
         tr_debug("Registrar addr get failed");
         return -1;

connectivity/nanostack/sal-stack-nanostack/source/6LoWPAN/Thread/thread_common.c

@@ -751,8 +751,10 @@ void thread_child_id_request_info_init(thread_pending_child_id_req_t *child_info
 thread_pending_child_id_req_t *thread_child_id_request_allocate(void)
 {
     thread_pending_child_id_req_t *req = ns_dyn_mem_alloc(sizeof(thread_pending_child_id_req_t));
-    memset(req->eiid, 0, 8);
-    thread_child_id_request_info_init(req);
+    if (req) {
+        memset(req->eiid, 0, 8);
+        thread_child_id_request_info_init(req);
+    }
     return req;
 }
 

connectivity/nanostack/sal-stack-nanostack/source/6LoWPAN/Thread/thread_joiner_application.c

@@ -719,8 +719,9 @@ static void configuration_set_copy_mandatory(configuration_set_t *destination_pt
 static void configuration_set_generate(int8_t interface_id, configuration_set_t *destination_ptr, link_configuration_s *configuration_ptr)
 {
     uint8_t *response_ptr;
+    protocol_interface_info_entry_t *cur = protocol_stack_interface_info_get_by_id(interface_id);
 
-    if (!destination_ptr || !configuration_ptr) {
+    if (!destination_ptr || !configuration_ptr || !cur) {
         return;
     }
     response_ptr = destination_ptr->data;
@@ -739,7 +740,6 @@ static void configuration_set_generate(int8_t interface_id, configuration_set_t
     response_ptr = thread_tmfcop_tlv_data_write(response_ptr, MESHCOP_TLV_PSKC, 16, configuration_ptr->PSKc);
     response_ptr = thread_tmfcop_tlv_data_write(response_ptr, MESHCOP_TLV_NETWORK_NAME, stringlen((char *)&configuration_ptr->name, 16), configuration_ptr->name);
     *response_ptr++ = MESHCOP_TLV_SECURITY_POLICY; // type
-    protocol_interface_info_entry_t *cur = protocol_stack_interface_info_get_by_id(interface_id);
     if (thread_info(cur)->version >= THREAD_VERSION_1_2) {
         *response_ptr++ = 4; // length
         response_ptr = common_write_16_bit(configuration_ptr->key_rotation, response_ptr);